Merge pull request ceph#57847 from thegreenbear/keepalived-security-context

cephadm/services/ingress: configure security user in keepalived template

Reviewed-by: Adam King <[email protected]>
Reviewed-by: John Mulligan <[email protected]>

Author: adk3798

src/pybind/mgr/cephadm/templates/services/ingress/keepalived.conf.j2

@@ -1,4 +1,9 @@
 # {{ cephadm_managed }}
+global_defs {
+    enable_script_security
+    script_user root
+}
+
 vrrp_script check_backend {
     script "{{ script }}"
     weight -20

src/pybind/mgr/cephadm/tests/test_services.py

@@ -1874,6 +1874,10 @@ def test_ingress_config(self, _run_cephadm, cephadm_module: CephadmOrchestrator)
                         {
                             'keepalived.conf':
                                 '# This file is generated by cephadm.\n'
+                                'global_defs {\n    '
+                                'enable_script_security\n    '
+                                'script_user root\n'
+                                '}\n\n'
                                 'vrrp_script check_backend {\n    '
                                 'script "/usr/bin/curl http://1.2.3.7:8999/health"\n    '
                                 'weight -20\n    '
@@ -1997,6 +2001,10 @@ def test_ingress_config_ssl_rgw(self, _run_cephadm, cephadm_module: CephadmOrche
                         {
                             'keepalived.conf':
                                 '# This file is generated by cephadm.\n'
+                                'global_defs {\n    '
+                                'enable_script_security\n    '
+                                'script_user root\n'
+                                '}\n\n'
                                 'vrrp_script check_backend {\n    '
                                 'script "/usr/bin/curl http://[1::4]:8999/health"\n    '
                                 'weight -20\n    '
@@ -2123,6 +2131,10 @@ def test_ingress_config_multi_vips(self, _run_cephadm, cephadm_module: CephadmOr
                         {
                             'keepalived.conf':
                                 '# This file is generated by cephadm.\n'
+                                'global_defs {\n    '
+                                'enable_script_security\n    '
+                                'script_user root\n'
+                                '}\n\n'
                                 'vrrp_script check_backend {\n    '
                                 'script "/usr/bin/curl http://1.2.3.7:8999/health"\n    '
                                 'weight -20\n    '
@@ -2257,6 +2269,10 @@ def test_keepalive_config_multi_interface_vips(self, _run_cephadm, cephadm_modul
                             {
                                 'keepalived.conf':
                                     '# This file is generated by cephadm.\n'
+                                    'global_defs {\n    '
+                                    'enable_script_security\n    '
+                                    'script_user root\n'
+                                    '}\n\n'
                                     'vrrp_script check_backend {\n    '
                                     'script "/usr/bin/curl http://1.2.3.1:8999/health"\n    '
                                     'weight -20\n    '
@@ -2448,6 +2464,10 @@ def test_keepalive_only_nfs_config(self, _run_cephadm, cephadm_module: CephadmOr
                         {
                             'keepalived.conf':
                                 '# This file is generated by cephadm.\n'
+                                'global_defs {\n    '
+                                'enable_script_security\n    '
+                                'script_user root\n'
+                                '}\n\n'
                                 'vrrp_script check_backend {\n    '
                                 'script "/usr/bin/false"\n    '
                                 'weight -20\n    '